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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  INFORMATION  SYSTEMS 

AGENCY 

SUBJECT:  Audit  Report  on  the  Followup  Audit  of  Controls  Over  Operating  System 
and  Security  Software  and  OAer  General  Controls  for  Computer  Systems 
Supporting  the  Defense  Finance  and  Accounting  Service 
(Report  No.  96-053) 


We  are  providing  this  report  for  review  and  comment.  We  performed  the  audit 
in  response  to  a  request  from  the  Under  Secretary  of  Defense  (Comptroller)  and  the 
Assistant  Secretary  of  Defense  (Conunand,  Control,  Communications  and  Intelligence). 
We  considered  management  comments  on  a  draft  of  this  report  in  preparing  the  final 
report. 


DoD  Directive  7650.3  requires  that  all  recommendations  be  promptly  resolved. 
Comments  from  the  Defense  Information  Systems  Agency  were  generally  responsive, 
but  specific  comments  were  not  provided  on  all  of  the  recommendations.  Therefore, 
additional  comments  are  requested  by  February  5,  1996,  as  indicated  at  the  end  of 
Finding  B  in  Part  I  of  the  report. 

We  appreciate  the  courtesies  extended  to  our  audit  staff.  Questions  about  the 
audit  should  be  directed  to  Mr.  David  C.  Funk,  Audit  Program  Director,  at 
(303)  676-7445  (DSN  926-7445),  or  Mr.  W.  Andy  Cooley,  Audit  Project  Manager,  at 
(303)  676-7393  (DSN  926-7393).  See  Appendix  G  for  the  report  distribution.  The 
audit  team  members  are  listed  inside  the  back  cover. 

Roberta.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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Followup  Audit  of  Controls  Over 
Operating  System  and  Security  Software  and  Other 
General  Controls  for  Computer  Systems  Supporting 
the  Defense  Finance  and  Accounting  Service 


Executive  Summary 


Introduction.  This  is  the  third  in  a  series  of  followup  audits  made  to  evaluate  the 
corrective  actions  taken  by  the  Defense  Finance  and  Accounting  Service,  the  Defense 
Information  Systems  Agency,  and  the  Defense  Logistics  Agency  in  response  to  prior 
audits  of  computer  security  and  other  general  controls.  This  audit  focused  on  actions 
by  the  Defense  Information  Systems  Agency,  Western  Hemisphere  Defense 
megacenters  in  Denver,  Colorado,  and  St.  Louis,  Missouri,  to  correct  security 
problems  with  computer  systems  that  migrated  from  the  former  Defeiwe  Information 
Processing  Centers  in  Indianapolis,  Indiana,  and  Kansas  City,  Missouri,  and  from  the 
Marine  Corps  Computer  and  Telecommunications  Activity  in  Quantico,  Virginia.  The 
followup  audits  were  requested  by  the  Under  Secretary  of  Defense  (Comptroller)  and 
the  Assistant  Secretary  of  Defense  (Command,  Control,  Coimnunications  and 
Intelligence). 

Audit  Objectives.  Our  objective  was  to  determine  whether  corrective  actions  taken  or 
planned  by  the  two  Defense  megacenters  to  improve  computer  security  adequately 
responded  to  the  recommendations  made  in  two  prior  reports: 

0  Report  No.  93-002,  "Controls  Over  Operating  System  and  Security  Software 
Supporting  the  Defense  Finance  and  Accounting  Service,"  October  2,  1992,  and 

o  Report  No.  94-065,  same  title,  March  24,  1994. 

The  audit  also  evaluated  the  effectiveness  of  applicable  management  controls. 

Audit  Results.  The  two  Defense  megacenters  made  commendable  efforts  to  implement 
22  of  the  25  prior  audit  recommendations.  The  Defense  Megacenter,  St.  Louis, 
Missouri,  adequately  implemented  all  of  the  prior  recommendations  applicable  to  the 
systems  that  migrated  to  it.  At  the  Defense  Megacenter,  Denver,  Colorado,  the 
planned  corrective  actions  on  the  remaining  three  recommendations  were  considered 
adequate,  although  incomplete.  A  new  security  software  problem  was  identified  during 
the  audit,  requiring  corrective  action  by  the  Defense  Information  Systems  Agency, 
Western  Hemisphere,  Fort  Ritchie,  Maryland. 

Due  to  their  sensitive  nature,  the  deficiencies  discussed  in  this  report  are  presented  in 
general  terms  only;  specific  details  of  the  findings  were  separately  provided  to 
management.  Although  no  quantifiable  monetary  benefits  were  disclosed,  the  audit 
showed  that  opportunities  existed  for  improving  computer  security  within  the  Defense 
Information  Systems  Agency  (Appendix  E).  The  cumulative  results  of  this  audit  and 
two  prior  follovmp  audits  are  provided  in  Appendix  D  of  this  report.  The  results  of 
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this  audit  of  the  corrective  actions  taken  by  the  Defense  Information  Systems  Agency 
are  summarized  below  and  in  more  detail  in  Part  I  of  the  report. 

0  Controls  over  sensitive  features  of  the  operating  system  needed  further 
improvement  at  the  Defense  Megacenter,  Denver,  Colorado.  As  a  result,  application 
programs  and  data,  such  as  pay  records,  could  be  added,  modified,  or  deleted  without 
detection.  The  lack  of  control  over  one  operating  system  feature  was  a  material 
weakness  (Finding  A). 

o  Controls  over  certain  aspects  of  the  security  software  at  the  Defense 
Megacenter,  Denver,  Colorado,  were  not  adequately  implemented.  A  new  security 
problem  related  to  a  sensitive  administrative  authority  was  also  identified.  The  Defense 
megacenters  in  Denver,  Colorado,  and  St.  Louis,  Missouri,  immediately  corrected  the 
new  security  problem  on  their  systems.  However,  the  Defense  Information  Systems 
Agency,  Western  Hemisphere,  Fort  Ritchie,  Maryland,  needed  to  verify  that  the  same 
problem  did  not  exist  at  other  Defense  megacenters.  Because  of  these  weaknesses, 
knowledgeable  users  at  both  Defense  megacenters  and  possibly  at  other  locations  could 
gain  unauthorized  system  access  or  perform  unauthorized  tasks  without  detection.  At 
the  Defense  Megacenter,  Denver,  Colorado,  the  integrity  was  jeopardized  on  one 
computer  system  used  for  processing  payroll  transactions  of  $29  billion  annually. 
Similar  integrity  problems  may  exist  at  other  Defense  megacenters  if  excessive  access 
was  granted  to  the  sensitive  administrative  authority  (Finding  B). 

Summary  of  Recommendations,  Management  Comments,  and  Audit  Response. 
We  recommend  improvements  in  the  control  and  oversight  of  operating  system  and 
security  software  by  the  Defense  Information  Systems  Agency,  Western  Hemisphere, 
and  the  Defense  Megacenter,  Denver,  Colorado.  Implementing  the  recommendations 
made  in  this  report  will  complete  the  corrective  actions  required  in  response  to  the  prior 
recommendations  we  evaluated.  Management  concurred  in  the  findings  and 
recommendations.  Pending  its  replacement,  the  use  of  one  supervisor  call  was  being 
monitored.  Improvements  had  been  made  or  were  planned  in  the  controls  over 
sensitive  utilities,  a  monitoring  facility,  and  the  tape  management  system.  Although 
concurring  with  the  recommendations,  management  did  not  provide  adequate  comments 
on  Recommendations  B.l.b.,  B.2.a.,  B.2.b.,  and  B.2.C.  We  request  that  management 
provide  additional  comments  on  this  report  by  February  5,  1996.  See  Part  I  for  our 
response  to  management's  conunents  and  Part  III  for  the  complete  text  of  the 
comments. 
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Audit  Results 


Audit  Background 


Computer  Security.  During  FYs  1990  through  1994,  the  Inspector 
General  (IG),  DoD,  and  the  Air  Force  Audit  Agency  (AFAA)  performed  a 
series  of  five  audits  to  evaluate  controls  over  operating  system  and  security 
software  and  other  general  controls  for  computer  systems  supporting  the 
Defense  Finance  and  Accounting  Service  (DFAS).  As  detailed  in  Appendix  B, 
the  audits  determined  that  financial  computer  systems  critical  to  DoD  were 
exposed  to  fraud  and  other  risks.  Knowledgeable  users  could  exploit 
weaknesses  in  the  operating  system  controls  to  improperly  access,  add,  modify, 
or  destroy  sensitive  computer  data,  programs,  and  other  resources  (accidentally 
or  intentionally)  without  risk  of  detection. 

Congressional  and  DoD  Oversight.  Heightened  concern  over  DoD  computer 
security  surfaced  during  FY  1994.  As  a  result,  the  IG,  DoD,  was  asked  to 
follow  up  on  prior  audits  of  computer  security.  In  April  1994,  the  Deputy  IG 
testified  on  DoD  financial  management  issues  before  the  Senate  Governmental 
Affairs  Committee.  The  Deputy  IG  advised  the  committee  that  inadequate 
controls  over  computer  security  were  among  several  high-risk  problems 
requiring  the  immediate  attention  of  DoD.  In  May  1994,  the  committee 
chairman  requested  that  the  IG,  DoD,  closely  monitor  DoD  efforts  to  correct 
weaknesses  in  computer  security  and  other  financial  management  problems. 

Also  in  April  1994,  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications  and  Intelligence)  requested  a  briefing  on  computer  security 
from  the  IG,  DoD.  As  a  result  of  that  briefing  and  directions  from  the  Assistant 
Secretary,  the  Defense  Information  Systems  Agency  (DISA)  created  a  task  force 
on  information  security  (the  DISA  task  force)  to  improve  information  systems 
security  at  all  Defense  megacenters,  including  the  computer  centers  that  were 
being  consolidated  into  DISA  Western  Hemisphere  (WESTHEM)  Defense 
megacenters.  One  of  the  DISA  task  force  objectives  was  reviewing  and 
verifying  the  implementation  of  prior  audit  recommendations  related  to 
computer  security  at  those  sites. 

In  June  1994,  the  Senior  Financial  Management  Oversight  Council,  chaired  by 
the  Deputy  Secretary  of  Defense,  was  briefed  on  the  computer  security  of  DoD 
financial  management  systems.  Among  other  actions,  the  Deputy  Secretary  of 
Defense  directed  DISA  and  DFAS  to  ensure  that  problems  in  computer  security 
were  corrected.  The  Deputy  Secretary  of  Defense  also  expressed  reliance  on 
the  IG,  DoD,  to  provide  oversight  to  ensure  that  security  was  improved. 

Audit  Request.  On  July  12,  1994,  in  response  to  directions  from  the  Deputy 
Secretary  of  Defense,  the  Under  Secretary  of  Defense  (Comptroller)  and  the 
Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and 
Intelligence)  requested  that  the  IG,  DoD,  confirm  that  DFAS  and  DISA  had 
corrected  the  previously  reported  problems  with  computer  security.  The  IG, 
DoD,  expanded  the  audit  scope  to  include  evaluating  corrective  actions  taken  by 
the  Defense  Megacenter,  Denver,  Colorado  (DMC-Denver)  in  response  to  a 
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Audit  Results 


prior  AFAA  report  and  by  the  Defense  Logistics  Agency,  Defense  Systems 
Design  Center  (DLA-DSDC),  in  response  to  the  prior  IG,  DoD,  report.  The 
prior  reports  are  listed  in  Appendix  B. 

Followup  Completed.  In  responding  to  the  audit  request,  we  issued  the 
following  reports  on  the  followup  completed  at  DFAS,  DISA,  and  DLA: 

o  Report  No.  95-263,  "Controls  Over  Operating  System  and  Security 
Software  and  Other  General  Controls  for  Computer  Systems  Supporting  the 
Defense  Finance  and  Accounting  Service,"  June  29,  1995,  and 

o  Report  No.  95-270,  "Corrective  Actions  on  System  and  Software 
Security  Deficiencies,"  June  30,  1995. 

The  three  Defense  agencies  made  commendable  efforts  to  implement  the  prior 
audit  recommendations.  However,  corrective  action  was  still  required  on  20  of 
the  87  recommendations  followed  up  in  those  audits.  Followup  on  another 
25  recommendations  was  deferred  to  the  current  audit  because  of  the  ongoing 
systems  migrations. 

Current  Followup.  This  report  summarizes  the  audit  of  corrective  actions 
performed  by  DMC-Denver  and  the  Defense  Megacenter,  St.  Louis,  Missouri 
(DMC-St.  Louis),  in  response  to  recommendations  made  in  the  following 
reports: 

o  Report  No.  93-002,  "Controls  Over  Operating  System  and  Security 
Software  Supporting  the  Defense  Finance  and  Accounting  Service,"  October  2, 
1992,  and 

o  Report  No.  94-065,  "Controls  Over  Operating  System  and  Security 
Software  Supporting  the  Defense  Finance  and  Accounting  Service,"  March  24, 
1994. 

These  two  reports  recommended  improvements  and  additions  to  security  and 
operating  system  software  controls  at  the  Marine  Corps  Computer  and 
Telecommunications  Activity  (MCCTA)  and  at  the  DISA  WESTHEM  Defense 
Information  Processing  Centers  (DIPCs)  at  Indianapolis,  Indiana,  and  Kansas 
City,  Missouri.  During  FY  1995,  the  computer  systems  previously  audited  at 
MCCTA  and  DIPC-Kansas  City  migrated  to  DMC-St.  Louis.  The  computer 
system  previously  audited  at  DIPC-Indianapolis  migrated  to  DMC-Denver 
during  the  same  period. 

Technical  Terms.  See  Appendix  C,  "Glossary,"  for  definitions  of  the  technical 
terms  used  in  this  report. 
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Audit  Results 


Audit  Objectives 


The  objective  of  our  audit  was  to  determine  whether  corrective  actions  taken  or 
planned  by  DMC-Denver  and  DMC-St.  Louis  to  improve  computer  security 
adequately  responded  to  the  recommendations  made  to  MCCTA,  DIPC- 
Indianapolis,  and  DIPC-Kansas  City  in  IG,  DoD,  Reports  No.  93-002  and 
94-065.  In  addition,  we  evaluated  the  effectiveness  of  applicable  management 
controls. 

See  Appendix  A  for  a  discussion  of  the  scope  and  methodology  and  the  results 
of  our  review  of  the  management  control  program. 
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Finding  A.  Operating  Systems 

Both  DMC-Denver  and  DMC-St.  Louis  had  significantly  improved  their 
operating  system  controls  on  the  five  systems  audited.  However,  DMC- 
Denver  needed  to  take  additional  corrective  actions  on  2  of  16  prior 
audit  recommendations.  Specifically,  DMC-Denver  programmers  had 
not  eliminated  one  supervisor  call  (SVC)  that  jeopardized  system 
integrity,  nor  had  they  established  adequate  controls  over  sensitive 
utilities  on  System  615A.  This  problem  occurred  because  system 
programmers  at  DIPC-Indianapolis  used  an  ineffective  control  technique 
with  the  SVC.  Also,  the  programmers  incorrectly  installed  one  sensitive 
utility.  Security  software  controls  were  not  implemented  over 
commands  issued  for  two  other  sensitive  utilities  through  the  monitoring 
facility.  This  weakness  allowed  anyone  using  that  monitoring  facility  to 
issue  the  sensitive  utility  commands.  As  a  result  of  these  weaknesses, 
application  programs  and  data,  such  as  pay  records,  could  be  added, 
modified,  or  deleted  without  detection,  and  the  system's  integrity  was 
jeopardized.  The  SVC  exposure  is  a  material  management  control 
weakness. 


Operating  System  Function  and  Summary  of  Results 


Function  of  Operating  System.  As  further  detailed  in  the  discussion  of 
methodology  in  Appendix  A,  the  audit  focused  on  the  operating  systems 
covered  by  our  prior  audits  and  the  Computer  Associates,  Incorporated, 
CA-TOP  SECRET  security  software  used  by  those  systems,  as  follows: 

0  System  615A,  which  migrated  to  DMC-Denver  from  DIPC- 
Indianapolis, 

o  Systems  TTOB  and  TTOC,  which  migrated  to  DMC-St.  Louis  from 
DIPC-Kansas  City,  and 

o  Systems  GXOA  and  GGOA,  which  migrated  to  DMC-St.  Louis  from 
MCCTA. 

The  operating  system  is  a  major  component  of  any  computer  system.  It  is  an 
integrated  collection  of  computer  programs,  service  routines,  and  supervisory 
procedures  that  directs  the  sequence  and  processing  of  computer  applications 
(scheduling  jobs,  loading  programs,  allocating  computer  memory,  managing 
files,  and  controlling  input  and  ouq)ut  operations).  The  Multiple  Virtual 
Storage  (MVS)  operating  systems  also  isolate  and  protect  individual  user 
programs.  When  the  operating  system  features  are  properly  administered  and 
controlled,  only  authorized  programs  can  modify  the  processing  of  other 
programs  However,  operating  systems  are  not  intended  to  guarantee  that  only 
authorized  users  can  execute  authorized  programs.  As  discussed  in  Finding  B, 
commercial  security  software  packages  control  authorized  users. 
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Finding  A.  Operating  Systems 


Summary  of  Results.  Prior  audits  at  DIPC-Indianapolis,  DIPC-Kansas  City, 
and  MCCTA  identified  computer  security  problems  caused  by  inadequate 
controls  over  SVCs  and  sensitive  utility  programs  (Appendixes  B  and  D).  Some 
of  those  management  control  weaknesses  were  material. 

This  followup  audit  determined  that  DMC-St.  Louis  had  adequately 
implemented  the  nine  prior  recommendations  made  to  MCCTA  and  DlPC- 
Kansas  City.  However,  DMC-Denver  needed  to  take  additional  action  to 
adequately  implement  two  recommendations  made  to  DIPC-Indianapolis  to 
improve  the  controls  over  one  SVC  and  certain  sensitive  utilities.  Details  of  our 
findings  are  presented  below  and  in  Appendix  D. 


Supervisor  Calls 


Although  DMC-Denver  took  action  to  control  the  SVCs  on  System  615A,  one 
SVC  had  an  integrity  exposure.  This  resulted  because  system  programmers  at 
DIPC-Indianapolis  used  an  ineffective  control  technique  (an  imbedded 
password)  to  safeguard  system  integrity.  Imbedded  passwords  were  formerly 
used  by  the  computer  industry  to  control  access  to  SVCs.  However,  research 
showed  that  the  passwords  could  be  extracted  by  knowledgeable  users.  System 
programmers  at  DMC-Denver  were  aware  of  the  problem  with  imbedded 
passwords  and  had  begun  reviewing  ways  to  eliminate  the  integrity  exposure. 
This  integrity  exposure  allowed  any  knowledgeable  user  to  bypass  normal 
controls  on  the  operating  system  and  security  software.  Thus,  users  could  add, 
modify,  or  delete  system  data  without  detection.  The  integrity  exposure  caused 
by  this  SVC  is  a  material  management  control  weakness. 


Sensitive  Utilities 


On  the  DMC-Denver  System  615A,  three  sensitive  utility  programs  were  not 
adequately  controlled.  Commands  for  two  of  the  three  sensitive  utilities  could 
be  issued  through  the  monitoring  facility.  Also,  Ae  parameters  of  the  Aird 
sensitive  utility  were  not  properly  defined.  The  inadequate  controls  existed 
because  system  programmers  at  DIPC-Indianapolis  did  not  correctly  install  one 
sensitive  utility.  Security  software  controls  were  not  implemented  over  the 
issuance  of  commands  for  the  remaining  two  utilities  through  the  monitoring 
fecility.  I^owledgeable  users  could  execute  these  utilities  to  destroy  data  on 
tape  files,  bypass  security,  or  make  unauthorized  changes  to  programs  or  data  to 
which  they  had  access. 
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Finding  A.  Operating  Systems 


Recommendations  for  Corrective  Action 


A.  We  recommend  that  the  Director,  Defense  Information  Systems  Agency, 
Western  Hemisphere,  Defense  Megacenter,  Denver,  Colorado,  take  the 
following  corrective  actions  on  System  615A: 

1.  Make  the  appropriate  changes  required  to  eliminate  the  integrity 
exposure  on  the  one  supervisor  call. 

2.  Install  sensitive  utilities  so  that  parameters  are  properly  defined. 

3.  Implement  security  software  controls  over  the  issuance  of  sensitive 
utility  commands  through  the  monitoring  facility. 


Management  Comments 


Management  concurred  with  Recommendation  A.l.  to  eliminate  the  integrity 
exposure  caused  by  one  SVC  stating  that  all  programs  that  call  the  SVC  are 
being  monitored.  Management  planned  to  replace  the  SVC  in  March  1996  with 
a  secured  SVC.  Management  also  concurred  with  Reconunendation  A.2. 
stating  the  parameters  on  one  sensitive  utility  had  been  redefined  by  activating  a 
special  option  on  System  615A.  Finally,  management  concurred  with 
Reconunendation  A. 3.  to  control  the  issuance  of  commands  for  two  sensitive 
utilities  through  the  monitoring  facility.  Management  stated  that  the  security 
option  had  been  activated  for  the  monitoring  facility  so  that  only  authorized 
users  could  issue  commands  for  the  two  utilities.  See  Part  HI  for  the  complete 
text  of  management's  comments. 
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The  DMC-St.  Louis  and  DMC-Denver  had  significantly  improved  their 
security  software  controls  by  taking  corrective  action  on  five  of  six  prior 
audit  recommendations.  DMC-Denver  had  not  fully  implemented  the 
remaining  recommendation,  as  follows: 

o  The  tape  management  system  and  access  authorizations  to  the 
production  job  scheduling  system  were  not  adequately  controlled. 

o  Update  access  to  the  master  catalog  was  not  restricted  to  the 
system  personnel  who  maintained  it. 

These  problems  existed  when  System  615A  migrated  to  DMC-Denver 
from  DIPC-Indianapolis.  DMC-Denver  did  not  have  time  to  correct  the 
exposures  because  of  all  the  demands  placed  on  its  liinited  resources  by 
the  system  migration.  In  addition,  DISA  guidelines  did  not  address  the 
tape  management  system  or  how  to  implement  new  security  interface 
options. 

A  new  security  problem  with  potentially  wide  impact  in  DISA 
WESTHEM  was  identified.  Excessive  access  had  been  given  to  an 
administrative  authority  feature  of  the  security  software  that  allowed 
users  to  initiate  sensitive  special  attributes.  Security  officials  at  the  two 
Defense  megacenters  were  not  aware  that  the  assignment  of  the 
administrative  authority  could  result  in  modification  of  the  CA-TOP 
SECRET  control  options. 

By  improper  use  of  CA-TOP  SECRET  security  software,  DMC-Denver 
and  DMC-St.  Louis  increased  the  risk  that  knowledgeable  users  may 
gain  unauthorized  access  or  perform  unauthorized  tasks  without 
detection.  The  security  weaknesses  at  DMC-Denver  jeopardized  the 
integrity  of  the  system  that  processes  Army  active-duty  and  Reserve 
payrolls  totaling  $29  billion  annually.  Although  both  Defense 
megacenters  immediately  corrected  the  new  security  problem  on  their 
systems,  similar  integrity  problems  may  exist  at  other  Defense 
megacenters  if  excessive  access  has  been  granted  to  the  administrative 
auAority. 


Security  Software  Function  and  Summary  of  Results 


Function  of  Security  Software.  Security  software  is  used  to  protect  computer 
resources  such  as  files,  programs,  tapes,  database  definitions,  libraries,  readers, 
and  processing  capabilities.  As  stated  in  Finding  A,  the  audit  focused  on  the 
computer  operating  systems  covered  by  our  prior  audits  and  the  CA-TOP 
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SECRET  security  software  used  by  those  systems,  currently  identified  as 
follows: 

o  System  6 15 A  at  DMC-Denver,  and 

o  Systems  TTOB,  TTOC,  GXOA,  and  GGOA  at  DMC-St.  Louis. 

CA-TOP  SECRET  security  software  offers  a  variety  of  control  options  and 
features  to  enhance  system  security.  The  control  options  and  features  of  the 
security  software  should  be  set  for  the  level  of  security  needed.  The  level  of 
protection  achieved  depends  on  how  well  the  options  and  features  of  CA-TOP 
SECRET  are  administered. 

Summary  of  Results.  In  prior  audits,  the  IG,  DoD,  identified  computer 
security  problems  at  DIPC-Indianapolis,  DIPC-Kansas  City,  and  MCCTA.  The 
problems  were  caused  by  inadequate  controls  over  security  software 
(Appendixes  B  and  D).  Some  of  these  management  control  weaknesses  were 
material  in  nature. 

Despite  the  significant  strides  made  by  DMC-Denver  and  DMC-St.  Louis  in 
improving  controls  over  security  software,  this  followup  audit  determined  that 
additional  corrective  actions  by  DMC-Denver  were  required  to  fiilly  implement 
one  recommendation.  The  audit  also  identified  a  new  computer  security 
problem  related  to  an  administrative  authority.  This  problem  may  exist  at  other 
DISA  WESTHEM  organizations,  as  discussed  below.  Details  of  our  findings 
are  presented  below  and  in  Appendix  D. 


I 

Tape  Management  System 


DMC-Denver  had  not  adequately  secured  tape  file  processing  on  System  615A. 
DMC-Denver  used  the  Computer  Associates,  Incorporated,  CA-1  Tape 
Management  System  to  manage  the  movement  of  tapes  and  cartridges.  The  new 
product  version  of  CA-1  includes  10  security  interface  options  that  provide 
additional  protection  beyond  CA-1  password  protection  by  an  interface  to 
CA-TOP  SECRET.  These  security  interface  options  include  dataset  name 
protection  during  open  and  end-of-volume  processing,  protection  for  the 
creation  of  secondary  data  sets,  on-line  interfaces,  and  CA-1  batch  updates. 
Examples  of  other  options  include  label  processing,  on-line  commands,  and 
EXPDT= 98000  processing  (the  CA-TOP  SECRET  feature  that  restricts  the 
bypassing  of  tape  management  system  checks).  To  invoke  the  security  interface 
options,  DMC-Denver  personnel  must  activate  each  of  these  options  separately. 
These  options  were  not  activated  on  System  615A  because  DISA  guidelines  did 
not  address  the  CA-1  Tape  Management  System  or  implementation  of  the 
product's  new  security  interface  options.  Unless  these  security  interface  options 
are  activated,  CA-TOP  SECRET  security  checks  are  not  accomplished  and  this 
additional  protection  is  not  provided. 
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Production  Job  Scheduling  System 


Production  scheduling  is  a  process  used  to  schedule  and  start  specific  jobs.  The 
production  job  scheduling  system  at  DMC-Denver  allowed  greater  authority  to 
submit  jobs,  without  job  security  checking  and  auditing,  than  should  be  allowed 
to  accomplish  production  scheduling.  In  addition,  DIPC-Indianapolis  had 
established  user  accessor  identifiers  (ACIDs)  that  were  shared  by  more  than  one 
user.  No  individual  can  be  held  accountable  for  the  functions  performed  when 
shared  ACIDs  are  used.  DMC-Denver  was  aware  of  this  exposure.  However, 
management  did  not  have  sufficient  time  to  address  this  problem  along  with  the 
other  demands  placed  on  its  limited  resources  by  the  system  migration.  Without 
adequate  controls  over  production  scheduling,  the  integrity  of  the  system  that 
processes  Army  active-duty  and  Reserve  payrolls  totaling  $29  billion  annually 
was  not  ensured. 


Master  Catalog 


The  master  catalog  is  a  critical  file  with  an  index  containing  extensive  file  and 
volume  information.  The  computer's  operating  system  uses  this  information  to 
locate  files,  create  and  delete  storage  space,  verify  program  or  operator 
authorization  to  access  a  file,  and  accumulate  usage  statistics.  If  the  master 
catalog  is  disabled,  accidentally  or  deliberately,  the  operating  system  will  not 
function. 

DIPC-Indianapolis  did  not  restrict  update  access  to  the  master  catalog  to  the 
system  programmers  who  maintain  it.  For  example,  4  ACIDs  were  assigned  to 
profiles  (see  Appendix  C,  "Glossary")  that  gave  72  users  update  access  to  the 
master  catalog.  Only  the  system  programmers  who  maintain  the  master  catalog 
should  have  update  access. 

DMC-Denver  recognized  the  need  to  evaluate  and  strengthen  access  controls  to 
the  master  catalog.  This  task  was  extensive  because  implementation  procedures, 
standards,  and  security  rules  had  to  be  reviewed.  The  DMC-Denver  did  not 
have  sufficient  time  to  complete  the  task  since  the  system's  migration  from 
DIPC-Indianapolis.  DMC-Denver  managers  expected  to  complete  the  task  by 
December  31,  1995. 


Administrative  Authority 


A  new  security  problem  was  identified  with  potentially  wide  impact  in  DISA 
WESTHEM.  The  DIPC-Indianapolis,  DIPC-Kaiisas  City,  and  MCCTA  had 
given  excessive  access  to  an  administrative  authority  feature  that  allowed  users 
to  initiate  sensitive  special  attributes.  For  example,  the  use  of  this  feature 
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allowed  access  to  the  CONSOLE  attribute,  a  sensitive  restricted  attribute  that 
gives  users  the  ability  to  change  CA-TOP  SECRET  control  options.  At  the  time 
of  our  audit,  15  users  on  the  DMC-Denver  system  and  26  users  on  the 
DMC-St.  Louis  systems  could  use  the  administrative  authority  to  assign  specific 
special  attributes  to  themselves.  Of  the  41  total  users,  28  (6  at  DMC-Denver 
and  22  at  DMC-St.  Louis)  should  not  have  had  the  unlimited  access  allowed  by 
the  administrative  authority.  Security  officials  at  both  Defense  megacenters 
were  not  aware  that  this  administrative  authority  could  be  used  to  modify  the 
CA-TOP  SECRET  control  options. 

When  managers  at  DMC-Denver  and  DMC-St.  Louis  were  notified  of  this 
condition,  they  took  immediate  action  to  control  the  use  of  the  administrative 
authority.  The  administrative  authority  granted  to  the  28  users  was  redefined  to 
reduce  the  risk  of  unauthorized  changes  being  made  to  the  CA-TOP  SECRET 
security  software.  We  did  not  make  recommendations  in  this  report  to 
DMC-St.  Louis  and  DMC-Denver  because  of  their  prompt  corrective  action  on 
this  issue.  However,  based  on  our  findings  at  those  two  organizations,  we 
advised  the  DISA  WESTHEM  Security  Office  of  our  concern  that  the  same 
problem  may  exist  at  other  Defense  megacenters. 


Recommendations  for  Corrective  Action 


B.l.  We  recommend  that  the  Commander,  Defense  Information  Systems 
Agency,  Western  Hemisphere: 

a.  Amend  the  "DISA  WESTHEM  Persoimel  and  Security:  MVS 

Security  Technical  Implementation  Standards"  to  include  standard  guidelines  for 
implementation  of  the  Computer  Associates,  Incorporated,  CA-1  Tape 
Management  System. 

b.  Amend  the  "DISA  WESTHEM  Personnel  and  Security:  MVS 

Security  Technical  Implementation  Standards"  to  address  the  sensitive 
administrative  authority  and  restrict  its  use  to  authorized  security  administrators. 

c.  Include  in  die  Defense  Information  Systems  Agency,  Western 

Hemisphere,  security  compliance  inspections  a  review  of  the  Defense 

megacenters'  implementation  of  the  Computer  Associates,  Incorporated, 
CA-1  Tape  Management  System  and  the  use  of  the  sensitive  administrative 
authority,  as  established  in  accordance  with  Recommendations  B.l. a.  and 
B.l.b. 

B.2.  We  recommend  that  the  Director,  Defense  Megacenter,  Denver, 

Colorado,  direct  the  following  actions  for  System  615A: 

a.  Implement  the  Production  Job  Scheduling  System  to  allow  for  job 
security  checking  and  auditing. 
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b.  Define  all  users  individually  to  the  system  by  assigning  user  accessor 
identifiers  according  to  the  users'  needs,  and  remove  all  shared  accessor 
identifiers. 


c.  Limit  access  to  update  the  master  catalog  to  the  system  programmers 
responsible  for  maintaining  the  master  catalog. 


Management  Comments 


Management  concurred  with  Recommendation  B.l.a.  stating  that  the  next 
revision  to  the  "DISA  WESTHEM  Personnel  and  Security:  MVS  Security 
Technical  Implementation  Standards"  (scheduled  for  March  1996)  would 
include  controls  for  the  tape  management  system.  Management  also  concurred 
with  Recommendation  B.l.c.  stating  that  the  current  checklist  used  in 
conducting  DISA  WESTHEM  security  compliance  inspections  provides  for  a 
review  of  the  controls  over  the  tape  management  system.  By  December  1995, 
management  plans  to  revise  the  checklist  to  include  a  review  of  the  use  of  the 
sensitive  administrative  authority. 

Management  concurred  with  Recommendations  B.2.a.  through  B.2.c.  to 
improve  controls  over  the  Production  Job  Scheduling  System,  accessor 
identifiers,  and  the  master  catalog.  However,  the  comments  provided  by 
management  actually  related  to  Recommendations  B.l.a.  and  B.l.c.  to  improve 
controls  over  the  CA-1  Tape  Management  System.  See  Part  III  for  the 
complete  text  of  management's  comments. 


Audit  Response 


Management's  comments  on  Recommendations  B.l.a.  and  B.l.c.  were  fully 
responsive.  However,  no  management  comments  were  provided  for  the  other 
recommendations,  as  discussed  below: 

0  Management  did  not  comment  on  Recommendation  B.l.b.  to  revise 
the  "DISA  WESTHEM  Personnel  and  Security:  MVS  Security  Technical 
Implementation  Standards"  to  provide  guidance  on  the  sensitive  administrative 
auAority. 

0  Although,  management  comments  were  provided  for  Recommenda¬ 
tions  B.2.a.  through  B.2.C.,  they  actually  related  to  Recommendations  B.l.a. 
and  B.  1  .c. ,  which  concern  the  CA-1  Tape  Management  System. 

In  accordance  with  DoD  Directive  7650.3,  additional  comments  are  requested 
froth  DISA  on  Recommendations  B.l.b.,  B.2.a.,  B.2.b.,  and  B.2.c. 
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Appendix  A.  Scope  and  Methodology 

Scope  and  Methodology 


Methodology.  We  examined  operating  system  features  that  can  affect  the 
integrity  of  operating  system  and  security  software.  Those  operating  system 
features  were  the  authorized  program  facility  (APF),  SVCs,  the  time  share 
option,  the  program  properties  table  (PPT),  the  job  entry  subsystem  2  (JES2), 
started  tasks,  and  sensitive  utilities.  We  examined  the  implementation  of  the 
CA-TOP  SECRET  security  software.  We  also  examined  other  general  controls 
over  sensitive  programmer  positions,  the  tape  management  system,  and  the  off¬ 
site  storage  of  operating  system  backups. 

The  audit  was  limited  to  evaluating  the  controls  over  the  computer  systems 
covered  by  our  prior  audits.  At  DMC-Denver,  the  audit  was  limited  to 
evaluating  the  controls  over  System  615 A.  This  was  the  DIPC-Indianapolis 
computer  system  identified  in  our  Report  No.  93-002  that  processed  the  Army 
Joint  Uniform  Military  Pay  System.  We  did  not  follow  up  on  the  prior 
reconnnendations  made  in  Report  No.  93-002  on  the  test  system  at  DIPC- 
Indianapolis.  That  system  was  being  merged  with  other  DMC-Denver  systems 
and  was  not  expected  to  exist  after  December  31,  1995.  At  DMC-St.  Louis,  the 
audit  was  limited  to  evaluating  the  controls  over  four  computer  systems: 

0  Systems  TTOB  and  TTOC  (previously  identified  in  Report  No.  94-065 
as  the  Defense  Information  Services  Organization-Kansas  City  systems),  and 

0  Systems  GXOA  and  GGOA  (previously  identified  in  Report 
No.  94-065  as  the  MCCTA  Worldwide  Support  Division  system  and  the 
MCCTA  system,  respectively). 

Use  of  Computer-Processed  Data.  To  achieve  the  audit  objectives,  we  relied 
on  computer-processed  data  in  the  operating  system  libraries  and  the  security 
software  of  each  organization.  We  used  the  Computer  Associates, 
Incorporated,  CA-EX AMINE  audit  software  to  extract  data  directly  from 
computer  memory  and  operating  system  libraries.  The  CA-EX  AMINE  software 
audits  MVS  operating  systems.  We  used  automated  and  manual  techniques  to 
analyze  system  data.  For  example,  to  test  operating  system  and  security  rules 
and  features,  we  used  the  audit  features  of  the  CA-TOP  SECRET  security 
software.  All  system  testing  and  use  of  audit  software  were  done  in  a  controlled 
environment  with  management's  approval.  Based  on  those  tests  and 
assessments,  we  concluded  that  the  data  were  sufficiently  reliable  to  be  used  in 
meeting  the  audit  objectives. 

Organizations  Visited,  Audit  Period,  and  Standards.  We  performed  audit 
work  at  DMC-Denver  and  DMC-St.  Louis.  This  program  audit  was  performed 
from  April  4  through  July  14,  1995.  The  audit  was  made  in  accordance  with 
auditing  standards  issued  by  the  Comptroller  General  of  the  United  States,  as 
implemented  by  the  IG,  DoD,  and  accordingly  included  such  tests  of 
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management  controls  as  were  considered  necessary.  During  the  audit,  we 
visited  or  contacted  the  organizations  shown  in  Appendix  F. 


Management  Control  Program 


DoD  Directive  5010.38,  "Internal  Management  Control  Program,"  April  14, 
1987,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended,  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  Management  Control  Program.  We  reviewed  the 
adequacy  of  management  controls  over  sensitive  features  of  the  operating 
system  and  security  software  and  other  general  controls  at  DMC-Denver  and 
DMC-St.  Lx)uis.  We  did  not  evaluate  the  implementation  of  the  DoD 
management  control  program  at  these  two  Defense  megacenters  because  a  recent 
audit  determined  that  DISA  WESTHEM  had  improperly  defined  its  assessable 
units  in  FY  1994.*  The  DISA  WESTHEM  treated  the  16  Defense  megacenters 
as  a  single  assessable  unit  (computer  operations)  during  FY  1994.  Doing  so 
was  not  reasonable  because  these  Defense  megacenters  represented  the  majority 
of  the  mission  and  resources  of  DISA  WESTHEM.  To  correct  this  problem, 
DISA  WESTHEM  designated  each  Defense  megacenter  as  an  assessable  unit 
during  FY  1995.  We  also  did  not  evaluate  the  management  control  program  at 
MCCTA  because  no  audit  work  was  performed  at  that  organization. 

Adequacy  of  Management  Controls.  The  followup  audit  at  the  two  Defense 
megacenters  evaluated  management  controls  over  the  operating  system  and 
security  software  and  other  general  controls.  Material  management  control 
weaknesses,  as  defined  by  Office  of  Management  and  Budget  Circular 
No.  A-123  and  DoD  Directive  5010.38,  "Internal  Management  Control 
Program,"  April  14,  1987,  existed  in  DMC-Denver's  general  controls  over  one 
SVC.  Inadequate  controls  over  this  sensitive  feature  of  the  operating  system 
made  it  possible  for  knowledgeable  users  to  improperly  access,  modify,  or 
destroy  sensitive  computer  data  and  programs  without  detection.  Implementing 
Recommendation  A.l.  will  correct  the  material  weakness  in  SVC  controls  on 
the  operating  system  at  DMC-Denver.  See  Part  I  (Finding  A)  of  this  report  for 
details.  As  shown  in  Appendix  E,  strengthened  management  controls  and  other 
nonmonetary  benefits  will  be  realized  from  implementing  the  recommendations. 
A  copy  of  the  report  will  be  provided  to  the  senior  official  in  DISA  responsible 
for  management  controls. 


*The  audit  of  the  DISA  WESTHEM  management  control  program  was  discussed  in 
IG,  DoD,  Report  No.  95-280,  "Internal  Management  Control  Program,  Defense 
Information  Systems  Agency,  Western  Hemisphere,"  July  26,  1995. 
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Computer  Security  Audits 


Prior  IG,  DoD,  and  AFAA  audits  determined  that  financial  computer  systems 
critical  to  DoD  were  exposed  to  fraud  and  other  risks.  Knowledgeable  users 
could  exploit  weaknesses  in  the  operating  system  and  security  software  and 
other  general  controls  to  improperly  access,  add,  modify,  or  destroy  sensitive 
computer  data,  programs,  and  other  resources  (accidentally  or  intentionally) 
without  risk  of  detection.  Management  generally  concurred  in  the 
recommendations  made  to  improve  computer  security.  The  reports  issued  on 
these  prior  audits  and  the  audit  followup  made  in  this  and  other  IG,  DoD,  audits 
are  discussed  below. 

AFAA  Report,  "Data  Processing  Center  (DPC)  Operations  and 
Security  at  the  Air  Force  Accounting  and  Finance  Center  (AFAFC)  (Project 
No.  0195410),"  August  5,  1991.  The  report  identified  weaknesses  in  the 
controls  over  operating  system  and  security  software  at  the  finance  center.  IG, 
DoD,  Report  No.  95-263,  "Controls  Over  Operating  System  and  Security 
Software  Supporting  the  Defense  Finance  and  Accounting  Service,"  June  29, 
1995,  was  issued  on  the  followup  made  on  the  prior  recommendations,  which 
were  intended  to  improve  the  security  of  the  computer  center  (now  DMC- 
Denver)  of  the  Air  Force  Accounting  and  Finance  Center. 

IG,  DoD,  Report  No.  93-002,  "Controls  Over  Operating  System  and 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  October  2,  1992.  The  report  identified  weaknesses  in  the  controls 
over  the  operating  system  and  security  software  at  two  DISA  organizations: 
DIPC-Cleveland  and  DIPC-Indianapolis.  IG,  DoD,  Report  No.  95-263  was 
issued  on  the  followup  at  DIPC-Cleveland.  See  Part  I  of  this  report  for  a 
discussion  of  the  followup  results  at  DMC-Denver  on  the  recommendations 
made  to  DIPC-Indianapolis.  Repeat  findings  at  DMC-Denver  were  reported  in 
Finding  A  on  sensitive  features  of  the  operating  system  and  in  Finding  B  on  the 
tape  management  system,  the  production  scheduling  system,  and  tiie  master 
catalog. 

IG,  DoD,  Report  No.  93-133,  "Controls  Over  Operating  System  and 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  June  30,  1993.  The  report  identified  weaknesses  at  DIPC-Dayton, 
DIPC-Columbus  (now  DMC-Columbus),  and  the  DLA  Defense  Systems 
Automation  Center  (now  DLA-DSDC)  over  operating  system  and  security 
software.  The  DIPC-Dayton  no  longer  exists  because  its  work  load  migrated  to 
DMC-Columbus  during  FY  1994.  IG,  DoD,  Report  No.  95-263  was  issued  on 
the  followup  at  DLA-DSDC  and  DMC-Columbus. 
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IG,  DoD,  Report  No.  94-060,  "General  Controls  for  Computer 
Systems  at  the  Information  Processing  Centers  of  the  Defense  Information 
Services  Organization,"  March  18,  1994.  The  report  identified  weaknesses  at 
one  DFAS  and  three  DISA  organizations  in  controls  over  abnormal  endings  to 
computer  operations;  maintenance  and  security  oversight  of  automatic  data 
processing  equipment;  access  to  sensitive  computer  assets;  and  potential 
environmental  hazards.  Weaknesses  in  change  control  procedures  at  the  DFAS 
Financial  Systems  Activity  (FSA)  Denver  were  also  identified.  See  IG,  DoD, 
Report  No.  95-270,  "Corrective  Actions  on  System  and  Software  Security 
Deficiencies, "  June  30,  1995,  for  followup  at  DFAS  FSA  Denver.  See  IG, 
DoD,  Report  No.  95-263  for  followup  at  the  Defense  Information  Services 
Organization  (now  DISA  WESTHEM),  DIPC-Columbus  (now  DMC- 
Columbus),  and  DIPC -Denver  (now  DMC-Denver).  We  determined  that 
followup  was  no  longer  viable  on  recommendations  to  DIPC-Indianapolis  to 
make  structural  improvements  or  revise  operating  procedures.  Such 
recommendations  were  made  obsolete  when  the  DIPC-Indianapolis  computer 
system  migrated  to  DMC-Denver. 

IG,  DoD,  Report  No.  94-065,  "Controls  Over  Operating  System  and 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  March  24,  1994.  The  report  identified  weaknesses  in  the  controls 
over  operating  system  and  security  software  at  DFAS  FSA  Pensacola  (now 
DIPC-Pensacola),  DIPC-Kansas  City,  MCCTA,  and  MCCTA  Worldwide 
Support  Division.  See  IG,  DoD,  Report  No.  95-270  for  followup  at  DIPC- 
Pensacola.  The  computer  systems  previously  audited  at  DIPC-Kansas  City  and 
both  Marine  Corps  organizations  migrated  to  DMC-St.  Louis  during  FY  1995. 
See  Part  I  of  this  report  for  a  discussion  of  followup  at  DMC-St.  I^uis  on  the 
recommendations  made  to  DIPC-Kansas  City  and  the  two  Marine  Corps 
organizations. 

IG,  DoD,  Report  No.  95-066,  "Controls  Over  Application  Software 
Supporting  the  Navy's  Inventories  Held  for  Sale  (Net),"  December  30, 
1994.  The  report  identified  weaknesses  in  the  controls  over  operating  system 
and  security  software,  and  in  the  integrated  data  management  system  at  DMC- 
Mechanicsburg  (Pennsylvania)  and  the  Naval  Supply  Systems  Command,  Ships 
Parts  Control  Center,  Mechanicsburg,  Pennsylvania.  The  prior  report  had  not 
been  issued  at  the  time  this  followup  audit  was  requested.  Followup  on  the 
11  recommendations  made  in  IG,  DoD,  Report  No.  95-066  will  be  performed 
under  a  separate  audit. 


Audit  Followup 


Except  for  IG,  DoD,  Report  No.  95-066,  followup  was  conducted  on  the  prior 
audits  under  the  present  audit  and  two  other  followup  audits.  IG,  DoD,  Reports 
No.  95-263  and  95-270  were  issued  on  the  other  followup  audits. 

The  earlier  followup  audits  determined  that  DFAS,  DISA,  and  DLA  made 
commendable  efforts  to  implement  prior  audit  recommendations.  However,  the 
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3  Defense  agencies  had  not  adequately  implemented  20  of  87  prior  audit 
recommendations.  The  reports  identified  weaknesses  in  the  controls  over 
operating  system  and  security  software,  environmental  hazards,  system 
recertification  reviews,  change  controls,  and  other  operating  procedures. 
Certain  weaknesses  in  the  operating  system  were  considered  material. 
Improvements  were  recommended  in  operating  system  and  security  software, 
environmental  controls,  and  management  controls. 
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Access  Control  is  a  general  term  used  to  describe  a  number  of  techniques  that 
restrict  users  of  a  computer  system  from  gaining  access  to  the  system  or  each 
others'  data,  or  from  performing  unauthorized  actions.  When  applied  to 
software,  access  control  usually  refers  to  one  of  the  specialized  software 
security  packages,  such  as  CA-TOP  SECRET. 

Accessor  Identifier  (ACID)  is  a  method  by  which  users  sign  on  to  a  computer 
and  are  identified.  This  term  is  used  for  CA-TOP  SECRET  security  software. 

Application  Programs  are  programs  that  are  intended  to  serve  particular 
business  or  nonbusiness  needs  and  have  specific  input,  processing,  and  output 
activities.  Accounts  receivable,  general  ledger,  payroll,  and  personnel 
programs  are  examples  of  application  programs. 

Authorized  Program  Facility  (APF)  is  an  International  Business  Machines 
Corporation  (IBM)  mechanism  for  protecting  the  integrity  and  security  of  the 
MVS  operating  system.  It  provides  for  the  orderly,  controlled  extension  of  the 
operating  system  by  defining  special  program  libraries  that  may  contain 
programs  that  are  authorized  to  execute  in  the  supervisor  state.  APF-authorized 
programs  have  the  potential  to  bypass  all  security  controls. 

Only  properly  authorized  programs  should  be  allowed  to  perform  sensitive  tasks 
such  as  accessing  or  modifying  another  program's  execution  or  data  areas.  A 
program  that  can  perform  sensitive  functions  outside  of  established  APF  rules 
can  become  part  of  the  operating  system,  and  can  circumvent  or  disable  all 
security  mechanisms,  alter  audit  trails,  or  modify  any  computerized  data, 
regardless  of  the  presence  of  access  control  software. 

According  to  the  IBM  security  manual  for  MVS  operating  systems,  APF 
procedures  should  require  system  programmers  to  use  security  software  to 
control  the  creation  of  and  access  to  APF  libraries  and  the  creation  of  APF 
programs.  All  APF  programs  should  have  unique  names  to  prevent  mix-ups  in 
processing,  and  the  file  containing  the  names  of  APF  libraries  and  volume  serial 
numbers  (disk  device  numbers)  should  reflect  only  valid  libraries  and  volume 
serial  numbers.  Failure  to  comply  with  these  IBM  guidelines  can  introduce 
significant  integrity  exposures  to  the  operating  system,  and  can  lessen 
management's  control  over  system  software. 

Data  base  is  a  collection  of  interrelated  data  stored  together. 

Disk  is  a  data  storage  device  that  allows  data  to  be  accessed  randomly  or 
sequentially  without  passing  through  unwanted  data. 

FUe  is  a  collection  of  related  data  records  stored  on  an  external  storage  medium, 
usually  a  disk  or  tape. 

Imbedded  Passwords  are  passwords  that  are  coded  into  a  program. 
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Job  is  a  basic  unit  of  work  on  an  IBM  computer.  A  job  consists  of  one  or  more 
steps  or  program  executions. 

Job  Control  Language  is  a  problem-oriented  computer  language  used  in  a  job 
that  identifies  the  job  or  describes  its  requirements  to  the  operating  system. 

Job  Entry  Subsystem  2  (JES2)  is  one  of  two  IBM  job  management  routines 
that  reads  the  job  stream  and  assigns  jobs  to  class  queues  (computer  data  or 
programs  awaiting  processing):  The  other  job  management  routine  is  JESS. 
JES2  processes  jobs  and  manages  system  input  and  output  processing.  JES2 
parameters  control  how  and  with  what  restrictions  jobs  will  be  run  on  a 
computer  system. 

JES2  options  allow  console  operator  commands  to  be  placed  in  job  control 
language.  The  options  are  assigned  by  type  of  job  class.  There  are  36  possible 
batch  job  classes,  and  two  additional  special  classes  for  time-share-option  logons 
and  started  tasks. 

Multiple  Virtual  Storage  (MVS)  is  the  IBM  multiple  virtual  storage  operating 
system. 

Profile  is  a  CA-TOP  SECRET  term  related  to  security  administration.  Profile 
user  identifications  contain  permissions  and  access  levels  to  resources  for 
multiple  users;  their  purpose  is  to  provide  a  place  in  the  security  data  base 
where  common  access  to  resources  can  be  stored. 

Program  Properties  Table  (PPT)  contains  the  names  of  special  programs, 
including  their  codes  and  properties.  Some  MVS  programs  are  allowed 
extraordinary  powers  and  privileges  not  normally  permitted  by  the  operating 
system.  A  list  of  these  programs,  including  their  special  powers  and  privileges, 
is  maintained  in  MVS,  and  is  known  as  the  PPT. 

Programs  in  the  PPT  can  bypass  security  software  mechanisms  such  as 
password  protection,  can  ignore  file  integrity,  and  can  assign  a  unique  storage 
protection  key  of  less  than  eight.  All  of  these  events  are  potential  threats  to 
system  integrity.  It  is  important  to  ensure  that  all  programs  in  the  PPT  have 
only  the  capabilities  needed  to  function  properly,  and  that  the  programs  are 
safeguarded  against  unauthorized  use. 

Program  names  must  be  kept  in  a  special  library  created  and  controlled  by  the 
installation,  or  in  two  IBM  default  libraries.  The  program  must  also  be 
contained  in  an  APF-authorized  library.  Controls  are  intact  if  users  cannot  get  a 
Trojan  Horse  program  into  an  APF-authorized  library  by  using  the  name  of  a 
nonexistent  program.  However,  if  APF  controls  are  weak,  the  risk  of 
unauthorized  entry  increases. 

Sensitive  Utilities  are  utility  programs  (as  defined  below)  that  can  bypass 
system  security  software  or  management  controls  and  destroy  data  if  not  used 
properly. 
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Software  is  a  generic  term  used  to  define  all  progranuning  on  a  computer 
system,  whether  supplied  by  vendors  or  developed  by  in-house  programmers. 
System  software  includes  the  operating  system  and  accompanying  utility 
programs  that  enable  a  user  to  control,  configure,  and  maintain  the  computer 
system  software. 

Supervisor  Call  (SVC)  is  an  assembler  language  instruction  that  causes  a 
hardware  interruption  when  executed.  The  operating  system  then  passes  control 
to  the  SVC  to  tell  the  operating  system  what  service  is  being  requested  (open  a 
file  for  read  or  write  access,  close  a  file,  etc.). 

SVCs  are  divided  into  two  categories.  One  category  is  available  to  all 
programs,  while  the  second  is  restricted  to  APF-authorized  programs  only. 
Validity  checking  is  the  control  technique  that  limits  the  execution  of  sensitive, 
unrestricted  SVCs.  The  first  200  SVCs  are  provided  by  IBM  or  other  software 
vendors.  The  remaining  56  SVCs  can  be  added  by  a  computer  center’s  in-house 
progranuners  to  meet  its  unique  requirements  or  vendor  software  requirements. 

Trojan  Horse  is  a  program  that  executes  under  an  assumed  identity  or  name.  It 
uses  a  normal  program  name,  but  performs  unauthorized  tasks  not  associated 
with  the  normal  program  name.  For  example,  in  a  payroll  system,  a  Trojan 
Horse  program  could  be  used  to  give  employees  unauAorized  promotions  or 
pay  increases. 

Update  Access  is  a  feature  of  the  security  system  that  allows  write  access  to  a 
file. 

Utility  Programs  are  computer  programs  or  routines  that  perform  general  data- 
and  system-related  functions  required  by  other  application  software,  by  the 
operating  system,  or  by  users.  Examples  include  copying,  sorting,  and  merging 
files. 
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Appendix  D.  Summary  of  Current  and  Previous  Followup  Audit  Results 
by  Finding,  Report,  Recommendation,  and  Responsible  Organization  as 
of  July  14, 1995 
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Note:  See  the  footnotes  at  the  end  of  the  appendix. 
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Report,  Recommendation,  and  Organization 
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Note:  Soe  the  footnotes  at  the  end  o/  the  appendix. 


Recommendations  Subject  to  Audit  Folio 


Appendix  D.  Sununary  of  Audit  Results  by  Finding, 
Report,  Reconunendation,  and  Organization 
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Appendix  E.  Summary  of  Potential  Benefits 
Resulting  From  Audit 

Recommendation  Amount  and 

Reference  Description  of  Benefit  Type  of  Benefit 


A.I., 

A.2., 

A.3. 

Management  controls.  Reduces  risk 
of  computer  fraud  by  strengthening 
controls  over  sensitive  features  of 
the  operating  system  oh  System 

615A  at  DMC-Denver. 

Nonmonetary. 

B.l.a., 

B.l.b., 

B.l.c. 

Management  controls.  Reduces  risk 
of  computer  fraud  within  DMC- 
Denver  and  other  DISA 

WESTHEM  organizations  by 
providing  guidance  and  management 
oversight  of  the  tape  management 
system  and  a  sensitive 
administrative  authority. 

Nonmonetary. 

B.2.a., 

B.2.b., 

B.2.C. 

Management  controls.  Reduces  the 
risk  of  computer  fraud  on 

System  615A  at  DMC-Denver  by 
enhancing  security  over  the 
production  job  scheduling  system, 
establishing  individual  user 
accountability,  and  controlling 
update  access  to  the  master  catalog. 

Nonmonetary. 
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Appendix  F.  Organizations  Visited  or  Contacted 


Department  of  the  Navy 

Marine  Corps  Computer  and  Telecommunications  Activity,  Quantico,  VA 


Other  Defense  Organizations 

Financial  Systems  Activity,  Defense  Finance  and  Accounting  Service, 

Kansas  City,  MO 

Defense  Information  Systems  Agency.  Western  Hemisphere,  Fort  Ritchie,  MD^ 
Defense  Megacenter,  Denver,  COr 
Defense  Megacenter,  St.  Louis,  MO^ 

Kansas  City  Detachment,  Kansas  City,  MO 
Quantico  Detachment,  Quantico,  VA 


^DISA  WESTHEM  was  referred  to  in  IG,  DoD,  Reports  No.  93-002  and  No.  94-065 
as  either  the  Defense  Information  Technology  Services  Organization  or  the  DISA 
Defense  Information  Services  Organization. 

^In  IG,  DoD,  Report  No.  94-065,  DMC-Denver  was  referred  to  as  the  Defense 
Information  Services  Organization's  Information  Processing  Center-Denver.  The 
DMC-Denver  was  responsible  for  acting  on  the  recommendations  made  to  DIPC- 
Indianapolis  in  IG,  DoD,  Report  No.  93-002. 

^DMC-St.  Louis  was  responsible  for  acting  on  the  recommendations  made  to  DIPC- 
Kansas  City  and  MCCTA  in  IG,  DoD,  Report  94-065. 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller)* 

Deputy  Chief  Financial  Officer 

Director,  Chief  Financial  Officer  Support  Office 
Chief,  Internal  Management  Control  Division 
Internal  Control  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and 
Intelligence)* 

Director,  Defense  Logistics  Studies  Information  Exchange 
Assistant  to  the  Secretary  of  Defense  (Public  Affairs) 

Internal  Control  Officer,  Directorate  for  Organizational  and  Management  Planning, 
Administration  and  Management 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Policy  Liaison  Division,  Office  of  the  Assistant  Director,  Policy  and  Plans,  Defense 
Contract  Audit  Agency 

Director,  Defense  Finance  and  Accounting  Service  Denver  Center 


*Recipient  of  draft  report. 
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Chief,  Audit  Control  and  Liaison,  Customer  Service  and  Performance  Assessment 
Deputate,  Defense  Finance  and  Accounting  Service 
Director,  Defense  Information  Systems  Agency* 

Commander,  Defense  Information  Systems  Agency,  Western  Hemisphere* 
Commanding  Officer,  Defense  Megacenter-St.  Louis* 

Director,  Defense  Megacenter-Denver* 

Inspector  General ,  Defense  Information  Systems  Agency* 

Internal  Control  Officer,  Office  of  the  Comptroller 
Chief,  Internal  Review  Group,  Office  of  the  Director,  Defense  Logistics  Agency 
Inspector  General,  National  Security  Agency 

Audit  and  Internal  Management  Control  Liaison,  National  Security  Agency 


Non-Defense  Federal  Organizations  and  Individuals 

special  Projects  Branch,  National  Security  Division,  National  Security  and 
International  Affairs,  Office  of  Management  and  Budget 
Information  Management  and  Technology  Division,  General  Accounting  Office 
Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Conunittee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 


*Recipient  of  draft  report. 
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Part  III  -  Management  Comments 


Defense  Information  Systems  Agency  Comments 


DEFENSE  INFORMATION  SYSTEMS  AGENCY 


WfaCOURTHOUKMMfr 
ARUNereN.WttMM  IliMtM 


Znspftctor  General 


II  MV  MS 


MEMPRAWPPM  for  mSPBCrOR  GENERAI.,  DIPARIMEMT  of  dbfbnsb 

ATTOt  DIRECTOR,  FXMAMCB  AND  ACCOUNTINO  DIRECTORATE 

SOBjSCT:  Draft  Audit  Report  on  the  Folloviup  Audit  of 

ContTOle  Over  Operating  Systwn  and  Security 
Software  and  Other  General  Controls  for  Con^uter 
Systems  Si^orting  the  Defense  Finance  and 
Accotmting  Service  (Project  NO.  5FD>502C} 

Reference i  OODIO  Draft  Audit  Raport,  aubjaet  aa  above, 

14  Sep  95 


1.  He  have  reviewed  the  aubjeet  draft  raport  and  concur  with  tha 
recoiniMndatians  addressed  to  OISA.  Our  management  conments  are 
enclosed  which  diacuas  corrective  actions  to  ba  takan  on  the 
recommendations.  Nhera  corrective  action  has  alraedy  bean  taken, 
we  have  identifiad  tha  aetiona  taken. 


2.  The  point  of  contact  la  Ms.  Sandra  J.  Lelcht,  Audit  Liaison. 
If  you  have  gueatiens  on  our  raaponse,  Ms.  Leieht  can  be  reached 
on  703-C07-631S. 


FOR  THE  DIRECTOR: 


Enclosure  a/s 


Inspaetor  General 
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MMixoBiBn  oommiTe  to  podxo  ?ouiO*m  mioxt  oh  controu  ovn 
ovnxTZM  anm  jum  oicotirr  ■orniMa  rmd  onu 
onttitAL  eoHn((n.s  roit  coMPOtat  nrsTiMi  soppORTZira 
m  siRrti  PZMMiei  AMD  AceonMTZNa  tnvici 

TtOJXCr  MO.  B»-S03l 


MooMMMtotioa  A.  Raceomnd  that  tha  Diractor,  Defensa 
Magaeantar  Danvar  taka  tha  tollowlng  corzactlva  actiona  on  Syatan 
C15A: 

1.  Kaka  the  appropriata  ohangaa  ragulrad  to  aliminata  the 
intagxity  axpoaura  on  tha  one  aupervlaor  call- 

2.  Inatall  aenaitiva  utllitlaa  ao  that  paramatara  ara 
proparly  daCinad. 

3.  Implawant  aaeurity  aoitwara  oontrola  over  tha  iaauanca 
ot  aanaltlva  utility  coamanda  through  tha  nonitoring  facility. 

Saapenaa  to  Suparvloe*  Calla  (ivea) .  Concur  with  tha 
raeoBWiandatlon.  On  tha  mlgratad  ayatan  eiSA  from  Indlanapolla. 
DMC  Denver  reconciled  vendor  modlflcatlona  to  tha  IBM  SVCa  and 
uaer/vandor  SVCa  to  lattera  of  ayatam  integrity  from  tha  varloua 
vendora.  Howavar,  DMC  Denver  found  one  uaer/vandor  auparvlsor 
call  that  muat  be  controlled  bacauaa  It  could  ha  uaad  to  damage 
or  allow  vnauthorltad  aecaaa  to  DMC  Denver  Syatam  «15A.  The  SVC 
la  a  totally  adapted  SVC  which  la  uaad  in  the  Defenae  Joint 
Military  Pay  Syatan  (DJMS)  subroutine  that  call  tha  SVC  to  affect 
dynamic  ehangea  to  dataset  nanaa.  Thia  SVC  la  also  used  on  DMC 
Denver's  SYSa  and  SYS3. 

DMC  Denver  ia  currently  auditing  all  programs  which  oall  this 
SVC.  It  is  felt  that  »S%  of  all  programs  that  use  thia  sve  have 
been  idantlfiad.  DMC  Danvar  haa  begun  tasting  a  new  secured  SVC 
to  replace  the  existing  SVC.  Tha  aatimatad  date  for 
inplamantatlon  in  production  la  March  1P»€. 

Saapenaa  to  Senaltiva  Vtlllty  PregraM  and  Saeurlty  Softwara 
Controls.  Concur  with  tha  racomnandatlon.  On  System  «1SA,  tha 

utllitlaa  abould  be  controlled.  Since 
*tkl  bypaaaaa  standard  operating  syatam  ecntrola.  DMC  Denver  muat 
activate  tha  ^tions  apprepriata  for  its  environment.  The 
•til  option  was  not  activated  for  system  SISA.  in  addition. 
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th*  <*tc]  ma  *tD]  utllitl«>  w«r«  not  odoquatoly  eontrollod  on 
tho  ONC  Sonvor  SyatM  ClSA  by  the  oocurlty  ooftwar*  beeauae  their 
eommande  could  bo  leeued  through  tho  • 

*  nonltoring  Cheillty  * 

DNC  Denver  bee  turned  ea  the  *(8]  option  on*[A].  CMC  Denver 
bee  eleo  turned  on  the  aeeurity  option  for  the  eieoelteclaa] 

Facility  ao  that  only  thoae  ayaten  progranmera  and  operatora 
which  need  the  ability  to  laaue  privileged  comnanda  have  ,  that 
ability.  All  other  uaera  only  have  the  ability  dlaplay  and 
aianage  their  individual  joba  and  print  output. 

BeeeMMBdatioa  B.i.  Reoomnend  the  Ooonander.  DX8A  NI8THBH; 

a.  aiowd  the  *DISA  MBSTHBK  Peraonnel  and  Sectirltyt  MVS 
Security  Technical  Inplenentation  Standarda*  to  include 
guldellnea  for  Inplaaentatlon  of  the  Coeputer  Aaaoclateai 
Incorporated,  CA>i  Tape  Managenent  syaten. 

b.  the  'DISA  MBSTHBK  Peraonnel  and  8ecurity<  MVS 
Security  Technical  Inplainentatien  standarda'  to  addreaa  the 
aenaltlve  admlnlotrative  authority  and  reatrlct  Ita  uae  to 
authorlxed  aecurity  admlnlatratora. 

e.  Include  in  the  DI8A  NBSTHBM  aeeurity  eonpllance 
inapectlona  a  review  of  the  Defenae  megacenter' a  implementation 
of  the  Oonputar  Aaaoclatea,  Incorporated,  CA-1  Tape  Management 
Syatem  and  the  uae  of  the  aenaltlve  admlniatrative  authority,  aa 
eatabliabed  in  accordance  with  Recoomendatlona  B.l.e.  and  B.l.b. 

Beaponse  to  Beeoamwdatlon  B.l.  Concur  with  the  recommendation. 
The  Dlraeter  of  Security,  DISA  ME8TREM,  baa  Inltlatad  action  to 
incorporate  atendard  Tape  Manegamant  Syatem  oratrols  into  the  MVS 
TIS.  These  atendards  are  projected  to  be  Included  in  the  next 
scheduled  tieleeae  of  the  NVS  TIS.  The  estimated  date  for  this 
release  is  projected  by  Maroh  1998. 

The  DZ6A  NESTHBM  Security  Readiness  Review  (6RR)  pprocedurea 
currently  provide  eheehllsta  for  review  of  the  Tape  Management 
Systems  and  sasocleted  controls.  However,  the  eheiokllsta  do  not 
currently  Include  review  of  the  'adadnletrative'  authority.  The 
Diractor  of  Seourlty.  DISA  MZSTKBM,  will  rewrite  smt  eheeklieta 
to  review  of  this  privilege  In  the  next  produetien  of  the 

SRR  eheekllat  scheduled  for  release  by  December  1995 . 
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ijfidla  t ion  1*2,  RocacoMnd  that  tha  Diraotor,  DHC  Danvar, 
dlraet  tha  JCollowlng  actiona  for  fiyatam  (ISA: 

a.  iR^lamant  tha  Production  Job  Schaduling  flyatam  to  allow 
for  job  security  checking  and  auditing. 

b.  Daflna  all  uaara  individually  to  the  ayatam  by  aaaigning 
uaar  acceaaor  idantiflara  according  to  the  uaara'  naadoi  and 
ramova  all  aharad  accaaaor  idantiflara. 

c.  Limit  aeceaa  to  update  tha  maatar  catalog  to  tha  ayatam 
programnara  raaponaibla  for  maintaining  tha  maatar  catalog, 

ftaapoaaa  to  Kacnamifidation  a»2.  Concur  with  tha  racommandatlon. 
Security  intarfaoa  optioaa  for  tha  GA-1  Tape  Kanagamant  Software 
ware  not  iaplamantad  on  Syatam  fl5X.  Tha  ca«l  aaourity  program 
called  *(i]  ia  designed  to  interface  with  CA-Top  Secret  by 
creating  a  security  call  baaed  on  raaourca  olaaa«  rcaourca 
entity,  and  level  of  acoaaa.  Baaed  on  tha  return  coda  from  the 
external  aecurity  ayatem,  ft[B]  aata  tha  appropriate  return 
code  for  CA«1  to  either  allow  or  diaallow  acceaa.  In  order  to 
provide  for  external  aecurity  proeeaaing,  each  of  the  10  aecurity 
interface  options  can  be  activated  or  deactivated  individually 
using  the  associated  parameters  in  *Vt]  /  member  *[(3- 
unless  the  options  are  activated/  no  calls  are  made  to  ca-Top 
Secret  for  security  checking;  therefore/  security  is  not  invoked. 

CMC  Denver  will  be  implementing  a  new  version  of  CA-1  Tape 
Management  ayatem  in  November  199S,  CMC  Denver  will  at  that  time 
Invoke  the  *tB]  module  and  begin  inplementing  and  teating  the 
various  options  of  eiEl  fha  eetimated  date  that  e[B] 

security  options  should  be  completely  implemented  is  31  January 
1996« 
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